Assignment: Project Plan
Hospital to Research (Kaiser Permanente)
Select a hospital or health care organization as your case to research. Consider an organization you are familiar with or one for which you can find sufficient information. To maintain confidentiality, you do not need to mention the name of the organization. You can also refer to the Health and Human Services (HHS) site for organizations that have reported breaches. Also, read this cybersecurity field overview to consider different roles that may apply as you review your case.
Now that you have chosen a case, the next action is to establish how you will apportion the work. Use your team space to share ideas and drafts of each member's contribution.
Conduct research to capture the organization's infrastructure and processes, the threats to personal health information (PHI) and determine a strategy to mitigate the threats you anticipate. This research will go into the technical report (or white paper, nine to 10 pages excluding cover sheet, references, and any appendices). After the paper is written, you will create a one-page executive summary of the paper. It will be part of the technical report document, immediately after the cover sheet and before the text of the report.
2. Create an Organizational Profile for Your Case
Now, it is time to research your chosen case to determine how the organization's IT department operates, how it is structured, and how PHI is moved around the organization for stakeholders' use. Next, review the materials in the links below to define and describe the hospital's information system infrastructure.
It is important to understand the organization's workflow `processes-how they move patient information to the business units that need to process and manage that information, from billing to physician care. All these organizations employ hardware and software within their information systems. It is critical to understand these components, termed a "typology," and how the components are connected so that appropriate security is put in place to protect sensitive information.
Your research should provide examples of how an information system is connected to cybersecurity components, like firewalls in the information system and network. Be sure you understand the benefits and weaknesses of your case's network topology.
Your definition of the organization's typology should include a high-level description of information systems hardware and software components and their interactions. Take time to read the following resources.
The table below provides a focus for your search strategies. You should consult scholarly resources as well as online resources, newspapers, websites, and IT blogs for similar contemporary cases.
Topics to Address in the Organizational Profile
1. Describe the organization and structure. The structure will include the different business units and their functions. You may use an organizational chart to provide this information.
2. Define information security needs to protect mission-critical systems. Choose one or more mission-critical systems of the health care organization. Define the information protection needs for the organization's mission-critical protected health information (PHI). This information is stored in database medical records for doctors, nurses, and insurance claims billing systems, which are used to fulfill the organization's information needs.
3. Define the workflows and processes for the high-level information systems that you have just identified. Workflows and processes for health care organizations define how the organization gets its work done.
4. Describe how the typology fulfills the needs of the health care organization. You may supply this information as a diagram with inputs, outputs, and technologies to define workflows and processes for the high-level information systems.
In the next step, you will consider threats to the organization's information security and how to mitigate them.
3. Develop Analysis of Threats to the Organization's Information Systems Infrastructure
Now that you have defined the hospital's information system infrastructure, you will have to learn about and demonstrate your understanding of the potential threats to those systems and the types of measures that could address those threats. In this section, you will learn about different types of identity access management solutions and how they protect against the threat of unauthorized access.
To complete this section of the report, start by reviewing the following resources:
• Web security issues
• Insider threats
• Intrusion motives/hacker psychology
• CIA triad
Take what you learned about potential threats to assess the threat(s) to the hospital's information systems infrastructure. Include a brief summary of insider threats, intrusion motives, and hacker psychology in your report as it relates to your organization's data processing systems. Relate these threats to the vulnerabilities in the CIA triad.
Your report will also include a description of the purpose and components of an identity management system, to include authentication, authorization, and access control. Include a discussion of doctors' use of laptop devices when they visit their patients at the hospital and need access to hospital PHI data. Review the following resources:
• Authorization
• Access control
• Passwords
• Multifactor authentication
Next, expand your description by defining the types of access control management, to include access control lists in operating systems, role-based access controls, files, and database access controls. Define types of authorization and authentication and the use of passwords, password management, and password protection in an identity management system. Describe common factor authentication mechanisms to include multifactor authentication.
Topics to Address in the Description of Threats and Mitigation Strategies
1. Describe potential threats to the organization's critical mission areas. These may include sloppy information security practices, insider threats, or hackers wishing to steal personal data. Relate these threats to the vulnerabilities in the CIA triad.
2. Describe how the organization restricts access to protect billing and PHI. Explain the organization's processes and workflows to safeguard PHI, specifically the use of passwords, password management, and password protection in an identity management system.
3. Define the access management system. What types of access control management, to include access control lists in operating systems, role-based access controls, files, and database access controls will it take to ensure that access is limited to those with a need to know?
4. Define factor authentication systems. How do common factor authentication mechanisms, to include multifactor authentication practices, safeguard sensitive information for an organization like this?
5. Discuss strategic considerations and provide recommendations. Review the mission and organization structure of your organization as well as roles within the organization, and recommend accesses, restrictions, and conditions for each role
6. Discuss the manager's risk considerations. What will happen if the CIO and the leaders do nothing and decide to accept the risks? Could the CIO transfer, mitigate, or eliminate the risks? What are the projected costs to address the risks?
Format your assignment according to the following formatting requirements:
1. The answer should be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides.
2. The response also includes a cover page containing the title of the assignment, the student's name, the course title, and the date. The cover page is not included in the required page length.
3. Also include a reference page. The Citations and references should follow APA format. The reference page is not included in the required page length.